Risk and Opportunity Register - Master Sheet 


Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Target Target 
shaded in blue) area Probability | Impact | Overall Probability Overall 
priority Priority 


1 01/04/17 R4 Capacity and Capability: (Cause) Risk that Infrastructure Open 
increasing demand, public and stakeholder and resources 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity 
to deliver all business plan requirements, 

(Impact) resulting in business operational 
issues and pinch points, possible failure to 
deliver regulatory priority activities and 
impacting upon the ICO’s ability to deliver all 
of its intended objectives and outcomes. 

2 30/04/19 R73 |Compliance culture: (Cause) Risk that as Organisational Cautious 
demand and capacity increase and/or changes,} controls and 
the ICO’s infrastructure and accountability compliance 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target | Target 
shaded in blue) area Probability | Impact | Overall Probability | Impact | Overall 
priority Priority 


3 28/06/17 R3 Regulatory Cautious 5,6 Same <> | Corporate 
| enforcement 
4 Financial Resilience: (Cause) Risk that Infrastructure Down J | Corporate 3 
sensitivities in the income growth forecast and | and resources 
new territories of expenditure create 
inaccurate financial forecasting and planning 
assumptions (Threat) leading to insufficient 
funding and financial stress (Impact) impeding 
the ICO’s ability to meet its statutory 
requirements, and full delivery of all of its 
intended IRSP goals and outcomes. 


30/07/18 
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5 06/04/20 R84 |Major Incident: (Cause) Risk that an internal or 
external major incident occurs (e.g. extreme 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 

06/04/20 R85 |Managing ICO Reputation: (C) Risk that 
decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target 
shaded in blue) area Probability | Impact | Overall Probability | Impact | Overall 
priority Priority 

2 2 


7 130/06/17 R2 Organisational 
change and 
development 


27/09/18 R10 [Statutory Codes: (Cause) Risk that significantly Regulatory 
complex and contentious subject matter (e.g. guidance and 
economic impact), alongside competing strategy 
stakeholder audience expectations slows the 
drafting and implementation of Statutory 
Codes of Practice such that (Threat) the ICO is 
unable to deliver the Codes within required 
timescales and to the desired quality through 
the eyes of external stakeholders (Impact) 
impacting negatively on the ICO’s reputation 
and relevance as a regulator to deliver across 
all stakeholders, decreasing its public trust, 
influence and effectiveness. 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target 
shaded in blue) area Probability Overall Probability Overall 
priority Priority 

4 


27/11/18 R61 _~—_‘|Litigation Resource: (Cause) Risk that multiple | Infrastructure 3 4 Same <> | Corporate 
or a single significant legal challenge or trend and resources 
emerges (Threat) diverting significant financial 
and non-financial resources into possibly 
lengthy legal disputes (Impact) impacting upon 
the ICO’s ability to legally defend itself which 
could have a domino effect on its decision 
making, its financial resilience, its reputation as 
an effective regulator and diluting its 
operational ability to achieve all of its IRSP 
goals. 
10 07/07/20 R88 |Future role of the ICO: (Cause) Government Organisational All goals 3 4 New Corporate 
led reviews of the role of the future data change and 
protection regulatory framework, and of the development 
ICO’s role, governance and remit (Threat) leads 
to organisational and stakeholder uncertainty 
(Impact) impeding the ability of the ICO to 
regulate with maximum efficiency and 
effectiveness, plan for the future and have 
clarity of its strategic objectives. 
1,2 


11 08/03/19 R72  |SMOs: (Cause) Risk that the ICO does not Regulatory 3 4 Same <> | Corporate 
sufficiently recognise and act on the needs of guidance and 
small organisations such that the ICO (Threat) strategy 
does not provide SMOs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMOs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 

12 15/06/20 R87 |international position: (Cause) The uncertain Reputational Cautious 3 3 4 Down J | Corporate 
global context in which ICO operates (in 
particular the UK’s future global relationships 
with and outside the EU and implications of 
the Covid19 pandemic) lead to (threat) the ICO 
failing to develop and maintain effective 
international relationships or effectively 
deliver aspects of its domestic regulatory role, 
thereby reducing opportunities to develop 
global collaborative DP approaches on policy, 
tech and interoperability and (Impact) putting 
at risk our ability to protect UK’s public's 
interests. 
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14/09/20 


i = 
15 13/04/18 R11 __{ICO fails to deal with issues arising from 
Operation Cederberg in a timely and effective 
way; in particular in relation to the public 
challenge to ICO regulatory decisions. 


shaded in blue) 


Compensation: (Cause) The ICO is unable to 
award compensation to complainants unlike 


(Threat) consumers go to an ombudsman 
(impact) so the ICO is not seen as a relevant 
breaches. 


Management Board Resilience: Management 
Board and Executive Team capacity and 


of leadership and direction during a critical 
period of change to the regulatory landscape 
resulting in delay to the achievement of the 
IRSP goals and operational, regulatory and 
organisational priorities 


02/09/19 


01/04/18 


20/09/19 
01/10/18 


Risk that there is inadequate oversight or 
planning of the ICO's business projects 
programme which may result in projects not 
delivered to time, to scope, or within budget 
threatening the achievement of a number of 
elements pertinent to the IRSP goals. 

Failure to provide adequate support to ICO 
senior leaders results in failure to meet 
strategic goals and priorities 


in particular in relation to its own compliance 
with FOI, GDPR and DPA18 


Opportunity/risk description (opportunities 


other ombudsman services. As a consequence, 
scheme where compensation can be awarded, 


regulator and fails to capture data about these 


resilience may not be sufficient to retain clarity 
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meee) ater Opportunity/risk description (opportunities 


shaded in blue) 


20 15/09/18 R40 {Opportunity to award grants to support 
independent, innovative research and 
solutions focused on privacy and data 
protection issues. Risk of those receiving funds 
failing to deliver agreed project. 


21 02/10/18 Inadequate physical security measures result 
Aat in a security breach at an ICO office or a 
personnel security issue 
22 R19 ice i i 


15/09/18 
with) the relevant corporate information that 


05/06/17 
allows them to do their job. 

27/09/18 Failure to provide advice and guidance to staff 
on regulatory issues in a timely manner results 
in inconsistency of external advice 


We fail to successfully make the case for the 
funding and resources required to deliver the 
scope of our duties under FOIA/eIDAS and NIS 
and the Grant in Aid awarded is no sufficient 
to support the achievements of our stated 
priorities 

Poor records management practice mean that 
it is difficult for staff to find (or be provided 


Legislation or its legal interpretation presents 
unanticipated challenges to the ICO 
operational model. 

The website functionality and user experience 
does not allow the ICO to communicate 
effectively 


20/09/19 


11/04/19 


01/04/17 The risk that day to day IT is not reliable or fit Infrastructure ae 
for purpose. and resources 


web and cross-device tracking for marketing 
purposes (a regulatory priority) does not keep 
pace with the use of those processes and 


act as an effective regulator in this space and 
the public’s data and privacy rights are not 
protected as a result 


30 13/07/18 We fail be the best employer we can be 
attracting and retaining the very best talent 


Innovation 


Our understanding and regulation of the use of 


technologies in the market meaning we cannot 


Staff recruitment, 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target 
shaded in blue) area Probability | Impact | Overall Probability | Impact 
priority 
08/01/19 We fail to manage high profile investigations in Regulatory Cautious Same <> | Strategic 
the most efficient and effective way possible, | investigation and 
minimising the resultant impact of the intervention 
investigation 


01/04/18 R18 [Risks and opportunities are not managed Organisational Cautious Same €> | Strategic 
adequately across the organisation leading to controls and 
inefficient or ineffective use of resources compliance 
during times of competing priorities such that 
it takes longer to achieve planned objectives 
that contribute to meetings all 6 of the IRSP 
goals. 
20/09/18 R23 _|We fail to inspire continuous improvement Staff recruitment,} Cautious Same <> | Strategic 
through common values and a high retention, 
performance culture development, 
wellbeing and 
safety 


20/09/18 Communication with individuals fails to inspire | Reputational Cautious Same € | Strategic 
trust and confidence in how personal data is 
handled 


o 
02/10/18 We fail to attract, develop and sustain a Staff recruitment,| Cautious 2 
workforce with sufficient capability retention, 
development, 
wellbeing and 
safety 


08/03/19 R79 That our communications activities are not Reputational Cautious 
aligned with our strategic priorities, leading to 
the failure to engage relevant audiences to 
positively influence our work as a regulator 


3 

13/07/18 We fail to develop and maintain an expert and |Staff recruitment,| Cautious Same <> | Strategic 3 
resilient workforce retention, 

development, 

wellbeing and 


safety 


2 
2 
2 
2 
2 
2 
2 


35 01/10/18 We fail to promote awareness of the ICO as Reputational Cautious 
the information rights regulator, meaning 
stakeholders and the public do not access ICO 
services 


_ Ba 


We fail to improve organisational compliance Regulatory Open 
across DP and FOI and are not seen as an guidance and 
effective regulator strategy 


Target 
Overall 
Priority 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current 
shaded in blue) area Probability | Impact | Overall 
priority 
20/12/18 Our thematic reports do not reach the right Regulatory Open #1. #2 
ional audience and fail to have meaningful impact guidance and all Daal 
strategy 


11/04/19 Our regulation of surveillance technology, Regulatory Cautious 
including AFR, (a regulatory priority) falls investigation and 
behind developments in and use of that intervention 
technology across public and private sectors - 
with associated harm to the public. 
01/04/18 That the ICO fails to take advantage of Reputational Cautious 
opportunities to communicate our key 
messages to the public, to stakeholders and to 
new audiences. 


24/09/18 ICO staff fail to own and develop their Staff recruitment,| Cautious 
individual capability and to maximise their retention, 
personal contribution to our strategic goals development, 
and priorities. wellbeing and 
safety 


Strategic Target Target 
Probability | Impact 


Same <> Not 1 
strategic 

Same <> Not 2 
strategic 

01/04/18 Same <> Not 2 
strategic 


08/01/19 


22/09/18 


Continuous change, update and system Security Averse 
refreshes may introduce vulnerabilities to our 

IT systems. Introduction of new Ways of 

Working (WoW) increases the attack surface of 

the organisation due to additional device 

functionality and new working practices of our 

staff. 


We fail to adequately resource or make Regulatory Cautious 
optimum use of intelligence to inform our assessment 
operational and corporate decisions. 


Improving Productivity: (Cause) Risk that Organisational Open 
growth in the ICO’s investment in change and 
infrastructure, people and process resources development 
(Threat) is not effectively utilised to reduce 

contradictory and duplication of efforts, 

minimise delivery gaps, exploit new business 

models and maximise best use of ICO 

resources such that (Impact) whilst the ICO 

grows it does not improve efficiency and 

productivity and is no better placed to achieve 

the ICO’s IRSP goals and corporate outcomes. 


2 
2 
2 
2 
2 


44 01/04/18 R39 |We don't adequately identify information Security Averse 
governance and security risks when 
implementing new projects, systems and 
processes 


Target 
Overall 
Priority 
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Opportunity/risk description (opportunities Risk Appetite Current Current Strategic Target Target 
shaded in blue) area Probability Overall Probability Overall 
priority Priority 


c e harms: (Cause) Research and wort i AEpUaUaDAI 


R21 [Cyber Security: (Cause) Risk that although the Security Averse Same <> | Corporate 
ICO is continuously vigilant with its cyber 
security controls that as the ICO’s profile 
increases and it innovates with new 
technology systems, (Threat) it becomes 
increasingly at risk of a security breach, either 
malicious or inadvertent from within the 
organisation or from external attacks by cyber- 
criminals. (Impact) This could result in many 
negative impacts, such as distress to 
individuals, legal, financial and serious 
reputational damage to the ICO, possible 
penetration and crippling of the ICO’s IT 
systems preventing it from delivering its 
regulatory functions and IRSP goals 


19/02/19 


01/04/18 
06/04/20 


31/08/17 


28/06/17 


Political and Economic Environment: (Cause) Regulatory New Corporate 
Risk that the ICO doesn't have the plans or the | guidance and 

ability to respond to changes in the economic strategy 

climate, government policy or to government 

attitudes and reviews, meaning that the ICO 

doesn't (Threat) adapt and flex quickly enough 

or in the right way to meet changing 

stakeholder views and needs (Impact) 

preventing the achievement of the IRSP goal to 

be an effective and efficient regulator. 


Poor industrial relations may impair Organisational Same <> Not 
engagement between ICO management and its| change and strategic 
workforce, leading to sub-optimum development 

productivity and reduced ability to deliver 

change. 


Policy guidance is not responsive to external Regulatory Up T Not 
developments and stakeholder needs. guidance and strategic 
strategy 
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01/10/18 


01/04/17 


01/04/17 


56 01/04/17 R48 |Strategic IT projects are not delivered to time, 
cost or quality 
* Ways of working 
*ICE 
*EDRM 
*Website 


Opportunity/risk description (opportunities 
shaded in blue) 


Fail to communicate a clear corporate vision 
and narrative to staff to enable them to 
understand the goals and priorities of the 
office 

Cyber defences are not sufficiently robust 
because the IT environment is not maintained 
to the required standard, security and integrity 
- especially during a period when the ICO is 
moving its IT managed service contract away 
from Northgate to other suppliers and to 
increased in-house support. 


Failure to comply with procurement, financial 
or contractual obligations 


If the ICO, in its role as a regulator, fails to 
deploy its powers in targeted, proportionate 
and effective way, there is a risk that our 
regulatory interventions will not achieve the 
change in behaviour needed to build public 
trust and confidence 

Our understanding and regulation of the data 
broking market does not keep pace with 
developments in the market (a regulatory 
priority) meaning we cannot act as an effective 
regulator in this space and the public’s data 
and privacy rights are not protected as a result 


28/11/19 
23/05/19 


22/07/19 


Our understanding of the way political parties 
and campaigns are using personal data in 
modern campaigning techniques (a regulatory 
priority) fails to keep pace with technological 
developments in this area meaning we can't 
act as an effective regulator in this space, 
which has an impact on citizens privacy rights 
and our democratic system 
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Opportunity/risk description (opportunities 
shaded in blue) 


01/04/18 R51 |Loss of resources as a result of fraud or 
misappropriation of funds 


05/05/17 That we do not have sufficient space to Infrastructure Open 
accommodate our expanding workforce. and resources 


01/04/18 


22/09/18 


01/04/18 
12/06/19 


20/12/18 
22/05/19 


14/01/19 


11/04/19 


Incorrect or misstated financial information 
leads to poor decision support 


Opportunity for staff to positively engage with 
stakeholders through responsible use of social 
media 

We fail to recognise and keep up to date with 
changes in expectations re the way our 
stakeholders engage with us. In particular the 
use of social and other media channels, leading 
to a reduced audience for our key messages. 


R79 |We fail to be an effective and knowledgeable 
regulator for Al, big data and automated 
decision-making involving personal data (a 
regulatory priority), both in terms of how we 
regulate Al and how we use Al 

R69 


We fail to deliver a new FOI strategy which is 
ambitious and meeting the needs of external 
stakeholders, complainants and the public 
That the ICO does not deliver its regulatory 
obligations and ambitions in relation to 
children's privacy (a regulatory priority) 

The Information Commissioner's regulatory 
powers are improperly delegated or exercised, 
causing the ICO to act ultra vires and being 
open to legal challenge. 

Our regulation of cyber-security (a regulatory 
priority) fails to be effective (i) as we build our 
capacity and capability and (ii) as advances in 
technology and new and emerging threats 
increase in complexity. 


Risk Appetite 
area 


Risk appetite 


Anti-fraud and Averse 
financial controls 


Anti-fraud and Averse 
financial controls 


Reputational 


Reputational 
~ 


assessment 


Averse 
Cautious 


Regulatory 
guidance and 
strategy 
Regulatory 
guidance and 
strategy 
Legal 
(compliance) 


Regulatory 
assessment 
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Impact 
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Overall 
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Strategic 


Same <> 


Strategic 
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Date raised Opportunity/risk description (opportunities 
shaded in blue) 


Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Strategic Target Target 
area Probability | Impact | Overall Probability Overall 
priority Priority 


